Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++- Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-)
This commit allows to initialize Secure Boot default key
and databases from data embedded in firmware binary.
Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com>
---
Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++-
Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc
index d8c6fdd4bd..1fb4df0b81 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.dsc
+++ b/Platform/RaspberryPi/RPi4/RPi4.dsc
@@ -164,7 +164,7 @@
!if $(SECURE_BOOT_ENABLE) == TRUE
TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf
AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
# re-use the UserPhysicalPresent() dummy implementation from the ovmf tree
PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf
!else
@@ -217,6 +217,7 @@
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf
HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf
+ ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf
[LibraryClasses.common.UEFI_DRIVER]
@@ -612,6 +613,8 @@
NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
}
SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf
+ SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
!else
MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf
!endif
diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf
index 1e13909a57..0e43d24c7a 100644
--- a/Platform/RaspberryPi/RPi4/RPi4.fdf
+++ b/Platform/RaspberryPi/RPi4/RPi4.fdf
@@ -189,7 +189,9 @@ READ_LOCK_STATUS = TRUE
INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf
INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
!if $(SECURE_BOOT_ENABLE) == TRUE
+!include SecurityPkg/SecureBootDefaultKeys.fdf.inc
INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
+ INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf
!endif
INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf
INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75901): https://edk2.groups.io/g/devel/message/75901
Mute This Topic: https://groups.io/mt/83232294/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
This whole patch series looks fine to me. I have tested it on Raspberry Pi 4, and I have some changes lined up to ensure that the next Pi 4 firmware we produce, after this series has been integrated, can use the new feature. For the record, since we are using an automated build system (and the Pi 4 can't exactly be considered as a secure platform anyway), my plan is to discard the PK's private key and include only MS KEK and DBs for the time being. Basically, it should go something like this: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Raspberry Pi Platform Key/" -keyout /dev/null -outform DER -out keys/pk.cer -days 7300 -nodes -sha256 curl -L https://go.microsoft.com/fwlink/?LinkId=321185 -o keys/ms_kek.cer curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.crt curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.crt curl -L https://uefi.org/sites/default/files/resources/dbxupdate_arm64.bin -o keys/arm64_dbx.bin and then use the files above for the DEFAULT_FILE vars. With this, I was able to get the default keys installed using the new Secure Boot menu, and validated that something like the Windows bootloader would load properly, whereas an unsigned bootloader such as the GRUB one wouldn't. Please find my formal R-b for this patch below: On 2021.06.01 14:12, Grzegorz Bernacki wrote: > This commit allows to initialize Secure Boot default key > and databases from data embedded in firmware binary. > > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> > --- > Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++- > Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc > index d8c6fdd4bd..1fb4df0b81 100644 > --- a/Platform/RaspberryPi/RPi4/RPi4.dsc > +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc > @@ -164,7 +164,7 @@ > !if $(SECURE_BOOT_ENABLE) == TRUE > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > - > + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf > # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf > !else > @@ -217,6 +217,7 @@ > MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf > HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf > ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf > + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf > FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf > > [LibraryClasses.common.UEFI_DRIVER] > @@ -612,6 +613,8 @@ > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > } > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf > !else > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf > index 1e13909a57..0e43d24c7a 100644 > --- a/Platform/RaspberryPi/RPi4/RPi4.fdf > +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf > @@ -189,7 +189,9 @@ READ_LOCK_STATUS = TRUE > INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc > INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf > + INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf > !endif > INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf > Reviewed-by: Pete Batard <pete@akeo.ie> Tested-by: Pete Batard <pete@akeo.ie> -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#75993): https://edk2.groups.io/g/devel/message/75993 Mute This Topic: https://groups.io/mt/83232294/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Internally reviewed this patch before sending the edk2 mailing list and it looks good to me. Reviewed-by: Sunny Wang <sunny.wang@arm.com -----Original Message----- From: Grzegorz Bernacki <gjb@semihalf.com> Sent: Tuesday, June 1, 2021 9:12 PM To: devel@edk2.groups.io Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com> Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default Secure Boot variables initialization This commit allows to initialize Secure Boot default key and databases from data embedded in firmware binary. Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> --- Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++- Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc b/Platform/RaspberryPi/RPi4/RPi4.dsc index d8c6fdd4bd..1fb4df0b81 100644 --- a/Platform/RaspberryPi/RPi4/RPi4.dsc +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc @@ -164,7 +164,7 @@ !if $(SECURE_BOOT_ENABLE) == TRUE TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTpmMeasurementLib.inf AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf - + SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf # re-use the UserPhysicalPresent() dummy implementation from the ovmf tree PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.inf !else @@ -217,6 +217,7 @@ MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAllocationLib.inf HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf [LibraryClasses.common.UEFI_DRIVER] @@ -612,6 +613,8 @@ NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf } SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf + SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf !else MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf !endif diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf b/Platform/RaspberryPi/RPi4/RPi4.fdf index 1e13909a57..0e43d24c7a 100644 --- a/Platform/RaspberryPi/RPi4/RPi4.fdf +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf @@ -189,7 +189,9 @@ READ_LOCK_STATUS = TRUE INF MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf INF MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf !if $(SECURE_BOOT_ENABLE) == TRUE +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc INF SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf + INF SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootDefaultKeysDxe.inf !endif INF MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCounterRuntimeDxe.inf INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf -- 2.25.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76052): https://edk2.groups.io/g/devel/message/76052 Mute This Topic: https://groups.io/mt/83232294/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
Reviewed-By: Samer El-Haj-Mahmoud <Samer.El-Haj-Mahmoud@arm.com> > -----Original Message----- > From: Grzegorz Bernacki <gjb@semihalf.com> > Sent: Tuesday, June 1, 2021 9:12 AM > To: devel@edk2.groups.io > Cc: leif@nuviainc.com; ardb+tianocore@kernel.org; Samer El-Haj-Mahmoud > <Samer.El-Haj-Mahmoud@arm.com>; Sunny Wang > <Sunny.Wang@arm.com>; mw@semihalf.com; upstream@semihalf.com; > jiewen.yao@intel.com; jian.j.wang@intel.com; min.m.xu@intel.com; > lersek@redhat.com; Grzegorz Bernacki <gjb@semihalf.com> > Subject: [edk2-platforms PATCH v2] Platform/RaspberryPi: Enable default > Secure Boot variables initialization > > This commit allows to initialize Secure Boot default key > and databases from data embedded in firmware binary. > > Signed-off-by: Grzegorz Bernacki <gjb@semihalf.com> > --- > Platform/RaspberryPi/RPi4/RPi4.dsc | 5 ++++- > Platform/RaspberryPi/RPi4/RPi4.fdf | 2 ++ > 2 files changed, 6 insertions(+), 1 deletion(-) > > diff --git a/Platform/RaspberryPi/RPi4/RPi4.dsc > b/Platform/RaspberryPi/RPi4/RPi4.dsc > index d8c6fdd4bd..1fb4df0b81 100644 > --- a/Platform/RaspberryPi/RPi4/RPi4.dsc > +++ b/Platform/RaspberryPi/RPi4/RPi4.dsc > @@ -164,7 +164,7 @@ > !if $(SECURE_BOOT_ENABLE) == TRUE > > TpmMeasurementLib|SecurityPkg/Library/DxeTpmMeasurementLib/DxeTp > mMeasurementLib.inf > AuthVariableLib|SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf > - > + > SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo > otVariableLib.inf > # re-use the UserPhysicalPresent() dummy implementation from the ovmf > tree > > PlatformSecureLib|OvmfPkg/Library/PlatformSecureLib/PlatformSecureLib.in > f > !else > @@ -217,6 +217,7 @@ > > MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemor > yAllocationLib.inf > HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf > ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf > + ShellCEntryLib|ShellPkg/Library/UefiShellCEntryLib/UefiShellCEntryLib.inf > FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf > > [LibraryClasses.common.UEFI_DRIVER] > @@ -612,6 +613,8 @@ > > NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.i > nf > } > > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > + SecurityPkg/EnrollFromDefaultKeysApp/EnrollFromDefaultKeysApp.inf > + > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf > !else > MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf > !endif > diff --git a/Platform/RaspberryPi/RPi4/RPi4.fdf > b/Platform/RaspberryPi/RPi4/RPi4.fdf > index 1e13909a57..0e43d24c7a 100644 > --- a/Platform/RaspberryPi/RPi4/RPi4.fdf > +++ b/Platform/RaspberryPi/RPi4/RPi4.fdf > @@ -189,7 +189,9 @@ READ_LOCK_STATUS = TRUE > INF > MdeModulePkg/Universal/FaultTolerantWriteDxe/FaultTolerantWriteDxe.inf > INF > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > !if $(SECURE_BOOT_ENABLE) == TRUE > +!include SecurityPkg/SecureBootDefaultKeys.fdf.inc > INF > SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig > Dxe.inf > + INF > SecurityPkg/VariableAuthenticated/SecureBootDefaultKeysDxe/SecureBootD > efaultKeysDxe.inf > !endif > INF > MdeModulePkg/Universal/MonotonicCounterRuntimeDxe/MonotonicCount > erRuntimeDxe.inf > INF EmbeddedPkg/ResetRuntimeDxe/ResetRuntimeDxe.inf > -- > 2.25.1 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77611): https://edk2.groups.io/g/devel/message/77611 Mute This Topic: https://groups.io/mt/83232294/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=-=-=-=-=-=-=-=-=-=-=-
© 2016 - 2024 Red Hat, Inc.